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(54) A method and apparatus for restricting access to private information in domain name 
systems by redirecting query requests 



(57) A device and method redirect query requests 
to restrict access to private information of a domain in a 
domain name system. The device includes a switching 
device that redirects query requests for the private in- 
formation from within the domain to a device within the 



domain. The private information includes IP addresses 
and domain names. All the devices in the domain may 
be modified to direct all query requests to the switching 
device or the switching device may be incorporated into 
a firewall of the domain. 
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Description 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 5 

This invention relates to restricting access to private 
information in domain name systems. 

2. Description of Related Art 

Many distributive systems assign names in the dis- 
tributive system by a hierarchial naming scheme known 
as domain names. Distributive systems using domain 
names are called Domain Name Systems (DNSs). A do- 
main name is a sequence of domain names separated 
by periods. For example, research.att.com is a domain 
name. Com is a top level domain name of a top level 
domain, att is a second level domain name of a second 
level domain and research is a third level domain name 
of a third level domain. A device in a domain is labeled 
by the name of the device followed by the domain name. 
Thus, a device labeled "server" in the research.att.com 
domain has the name, server.research.att.com. A de- 
vice name is also referred to as a domain name. 

While domain names partition a distributive system 
in a logical and hierarchial manner, messages are trans- 
ferred between devices of the DNS by identifying devic- 
es using IP addresses. IP addresses are 32-bit numbers 
that are expressed as four 8-bit values separated by pe- 
riods such as 191.192.193.2. IP addresses contain in- 
formation such as network ID of a device network con- 
nection and a device ID. The IP address are assigned 
by an address authority The addresses are assigned in 
blocks to authoritative address servers. 

The IP addresses relate to each other also in a hi- 
erarchical manner, however, the domain name hierar- 
chy and the IP address hierarchy are not directly related 
to each other. While some name servers are also ad- 
dress servers, name and address servers do not have 
to be the same device. Thus, it is possible for a server 
to have authority to resolve a domain name into a cor- 
responding IP address of a device, the same name serv- 
er may not be able to resolve the IP address to the cor- 
responding domain name of the same device. Thus, res- 
olution of IP addresses to domain names follows a sim- 
ilar process as resolving domain names to IP addresses 
except different servers may be involved. 

Because IP addresses are numerical and, unlike a 
domain name, are assigned without regard to the logical 
and hierarchial organization of the DNS, domain names 
are generally used in instructions for functions such as 
data transfers. Thus, a data transfer instruction identi- 
fies the receiving device by its domain name. However, 
the domain name must be translated into a correspond- 
ing IP address before the data transfer can occur 

Domain names are managed by authoritative devic- 
es called name servers. Name servers translate domain 



names into corresponding IP addresses and vice-versa. 
When a first device desires to transfer a message to a 
second device known only by its domain name, the first 
device must query a name server to acquire the corre- 
sponding IP address to the known domain name of the 
second device. 

Because of the potentially large volume of IP ad- 
dress query requests which fpay significantly reduce the 
efficiency of the DNS, many schemes have been imple- 
mented to reduce the workload of name servers and as- 
sociated network traffic. However, while these schemes 
improve the efficiency of the DNS, they also introduce 
opportunities for unauthorized activities such as gaining 
unauthorized access to information private to a domain 
or login into private machines. Thus, there is a need to 
restricted access to private information within a DNS. 

SUMMARY OF THE INVENTION 

An intruder gains access to information private to a 
donnain by taking advantage of the domain name reso- 
lution process used by DNSs. Because instructions for 
functions such as data transfers use domain names to 
specify destination devices, the domain names must be 
translated (resolved) into IP addresses before a data 
transfer can occur. The intruder takes advantage of the 
process for resolving domain names into IP addresses 
to gain access to private information. In particular, the 
intruder passes corrupted IP addresses and/or domain 
names to a target domain so that normal name resolu- 
tions produces the IP address of the intruder's device 
instead of an intended destination device. 

The invention prevents the intruder from gaining ac- 
cess to private information of a domain by removing any 
possibility for a device within the domain to receive pri- 
vate information from a device external to the domain. 
In particular, the invention provides a DNS proxy device 
that performs a switching function. 

The switching function receives query requests for 
donnain name resolutions from devices within the do- 
main and redirects any requests for domain names or 
IP addresses of devices within the domain to another 
device within the domain such as a name server. All re- 
quests for information not private to the donnain is for- 
warded to the destination device external to the domain. 

Specifically, the invention provides a system in a 
DNS that restricts access to private information of a first 
domain. The system includes a switching device. The 
switching device receives all requests for information 
from the first domain and redirects a request for private 
information to authoritative sources for the private infor- 
mation in the first domain. All requests directed to de- 
vices in the second domain for information that is not 
private, are transferred to the devices in the second do- 
main. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The invention is described in detail with reference 
to the following drawings, wherein like numerals repre- 
sent like elements: 

Fig. 1 is a block diagram of a distributive system; 
Fig. 2 is a diagram showing a hierarchy of domain 
names; 

Fig, 3 shows a diagram of hierarchial domain names 
separated into domains; 

Fig, 4 is a diagram of the domains of Fig. 3 with de- 
vices having IP addresses; 

Fig. 5 is a diagram of a domain having devices with 

corresponding IP addresses; 

Fig. 6 is a diagram of the domain of Fig. 5 having 

devices that communicate with each other and with 

devices outside of the domain; 

Fig. 7 is a diagram of the domain shown in Fig. 6 

having a firewall; 

Fig. 8 is a diagram of a switching device; 

Fig. 9 is a diagram of a filtering device; 

Fig. 10 is a diagram of a domain including a DNS 

proxy device; 

Fig. 11 is a diagram of a domain including a DNS 
proxy device incorporated in a firewall; 
Fig. 12 is a flowchart of a process for the switching 
device; and 

Fig. 13 is a flowchart for a process of the filtering 
device. 

DETAILED DESCRIPTION OF PREFERRED 
EMBODIMENTS 

Figure 1 shows a physical connection for a distrib- 
utive system 20 including network 10 and devices 102, 
104 and 106. The distributive system 20 may be organ- 
ized as a domain name system (DNS) 30 as shown in 
Fig. 2. 

The DNS 30 has a root 100 that holds the highest 
level authority for domain names in the DNS 30. The 
root may assign domain names such as edu, com and 
gov representing educational institutions, commercial 
institutions and government institutions, respectively. 
Each of these domains may be further divided into other 
domains such as purdue.edu, att.com and nrl.gov. The 
root 100 nr»ay delegate name authority for domains to* 
other devices called authoritative name servers. For ex- 
ample, the domain att.com may be owned and control- 
led by AT&T Corp. AT&T Corp. may designate devices 
to be authoritative name servers which has authority to 
assign and manage names within the att.com domain. 
Thus, the complete DNS 30 may be divided into a plu- 
rality of domains in which the naming authority in each 
domain is vested in authoritative name servers of that 
domain. 

Authoritative name servers may delegate its name 
authority to yet other servers within its domain. For ex- 



ample, the att.com domain may have a device named 
server.att.com as an authoritative name server that has 
authority for domain names under att.com. Att.com may 
have a subdomain called research.att.com and server. 

5 att.com may delegate the name authority for the re- 
sea rch.att.com subdomain to a device named server, re - 
search.att.com. Subdomains are also called domains. 
Thus, server.research.att.com has name authority for 
device names in the research.att.com domain such as 

10 wsl.research.att.com for device 102 and ws2.research. 
att.com for device 104. 

Server.bu2biz.com may be an authoritative name 
server tor the buzbiz.com domain. The buzbiz.com do- 
main may contain a device such as device 1 06 having 

IS the name intru.buzbiz.com. 

Figure 3 shows the DNS 30 divided into domains 
purdue.edu 202, atl.com 204, buzbiz.com 206, nrl.gov 
208 and root 210. The root domain 101 is shown to in- 
clude domains edu. com and gov. The domains edu. 

20 com and gov may be delegated by the root name server 
100 to other authorrtative name servers, however, in this 
case, a single name server, root 100. retains the author- 
ity for domains edu, com and gov. 

As discussed earlier, data is transferred among the 

2S devices 102, 104 and 106 in the DNS 30 by using IP 
addresses. Figure 4 shows the IP addresses of devices 
102, 104 and 106. In order to transfer data from device 
106 to device 102, device. 106 must specify 
192.193,194,1 as the destination IP address. 

30 Every device in the DNS 30 has at least one IP ad- 
dress. As shown in Fig. 5, the domain 204 includes de- 
vices 102, 104, 108 and 110. Each of the above devices 
has a domain name and an IP address. Server. re- 
search.att.com is the name of the device 110 having the 

35 IP address of 192.203.194.3 and server. res earch.att. 
com is an authoritative name server for the research. att. 
com domain 210. The research.att.com domain 210 in- 
cludes devices 102 and 104 having IP. addresses 
192.193.194.1 and 192.193.194.2, respectively. 

40 Because each device in the DNS 30 has a domain 
name and an IP address, two translation tables can be 
constructed, for example, see Table 1 and Table 2 be- 
low. Table 1 of domain names has for each domain 
name a corresponding IP address and Table 2 of IP ad- 

<5 dresses has for each IP address a corresponding do- 
main name. If Table 1 is sorted by the domain name and 
Table 2 is sorted by the IP addresses, Table 1 may be 
used to quickly determine the IP address for a domain 
name and Table 2 may be used to quickly determine the 

50 domain name for an I P address. Each name server con- 
tains tables corresponding to Table 1 and Table 2 for all 
the devices for which it has name authority. Because 
authoritative name servers contain this information, oth- 
er devices send get-address and get-name requests to 

55 the authoritative name servers to provide IP addresses 
of domain names and dorrtain names of IP addresses, 
respectively, under its authority. 
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Table 1 


att.com 


128.129.130.1 


research.att.com 


192.203.194.3 


wsl .research.att.com 


192.193.194.1 


ws2. research.att.com 


192.193.194.2 



Table 2 



128.129.130.1 


att.com 


192.193.194.1 


ws1.research.att.com 


192.193.194.2 


ws2.research.att.com 


192.203.194.3 


research.att.com 



When a first device receives an instruction to send 
data to a second device known by its domain name, the 
first device sends a query request to an authoritative 
name server of the second device for the IP address of 
the second device. The authoritative name server either 
returns the requested information or if the name author- 
ity has been delegated, the authoritative name server 
returns the name of another authoritative name server 
that has the information. After obtaining the IP address, 
the first device incorporates the IP address into a mes- 
sage containing the data and sends the message to the 
second device. 

Not all name servers have name authority. Some- 
times file servers retain domain nanaes and IP address- 
es so that devices local to the file servers can gain easy 
access to names of other local devices. These file serv- 
ers are also called name servers or resolvers for resolv- 
ing domain names with IP addresses and vice-versa. 

If a name server (authoritative or non-authoritative) 
forwards an IP address not known by the name server, 
the IP address is also stored in the name server's cache 
memory as a resource record for future resolution of the 
same domain name. Thus, authoritative name servers 
also accumulate IP addresses and corresponding do- 
main names to facilitate efficient resolution of domain 
names to IP addresses and vice-versa. Thus, authori- 
tative name servers are also referred to as resolvers for 
resolving domain names. 

In a further effort to improve the efficiency of the 
DNS 30, name servers often pass on "additional infor- 
mation" such as IP addresses of other related devices 
and their domain names by appending the additional in- 
formation to query request responses. Resolvers re- 
ceive and store the additional information in the cache 
memories for future address resolutions. 

Figure 6 shows that the domain 204 further includes 
resolvers 112 and 114. Devices 102 and 104 send query 
requests to resolvers 112 and 114 via communication 
lines 302 and 308 respectively to resolve domain names 
into IP addresses. The resolvers 112 and 114 are phys- 
ically located close to the devices 102 and 104, respec- 
tively. For example, the resolvers 112 and 114 may be 



on the same LAN or closely connecled in a single build- 
ing to the devices 102 and 104, respectively. Thus, ad- 
dress resolution required by the devices 102 and 104 
may be performed without any network traffic beyond 

5 local LAN connections. 

However, when the resolvers 112 and 114 resolves 
domain names by receiving IP addresses not obtained 
from an authoritative source, the IP addresses are of- 
fered to the querying device as not authoritative. Many 

10 times the querying device decides to use the IP address 
anyway because the DNS 30 in general does not 
change that quickly. 

The DNS 30 changes because machines are add- 
ed, moved or removed, for example. In this dynamic sit- 

fs uation, each of the resource records includes a time-to- 
live field that indicates the lifetime of each resource 
record. The resolvers 112 and 114 discard resource 
records periodically when the time-to-live value of the 
resource records expire. The time-to-live values are set 

20 by the name server that has authority over the contents 
of the resource record such as the IP address. 

As discussed earlier, att.com may be a domain 
owned and controlled by the AT&T Corp. Thus, all the 
devices controlled by the AT&T Corp. are within the att. 

2S com domain. The AT&T Corp. may distribute the devices 
in the att.com domain in sites which are physically dis- 
tant from each other. For example, device 102 and re- 
solver 112, may be located in one site and device 104 
and resoh/er 114 may be located at another site. The 

30 communication paths 302, 304 and 308 represent inter- 
communication between devices within the att.com do- 
main even though communication path 304 is between 
geographically two distant locations. Communication 
paths 310 and 312 represent communication paths be- 

35 tween the resolvers 112 and 114 within the att.com do- 
main and devices of other domains. 

Because information being exchanged within the 
att.com domain may be valuable to the AT&T Corp., 
there is great interest to protect the information deemed 

40 private to att.com from unauthorized access. Private in- 
formation of a domain is information that describes 
something about that domain. The authority to change 
the private information lies within the domain. For ex- 
ample, IP addresses and domain names are private in- 

45 formation within the domain. 

Devices such as a firewall 402, as shown in Fig. 7, 
is installed to control data transfers in and out ot the do- 
main 204. Communication paths 310 and 312 pass 
through the firewall 402 before reaching devices outside 

50 the domain 204 through communication line 316. The 
firewall 402 prevents unauthorized transfer of private in- 
formation out of the domain 204 and denies requests 
from devices external to the domain 204 for information 
that is private to the domain 204. 

55 However, some conventional firewalls fail to pre- 

vent access to private information that are obtained in- 
directly by exploiting name resolution methods used by 
domain name systems such as DNS 30. In particular, 
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the process by which domain names are resolved into 
the corresponding IP addresses may be exploited by 
one of several methods. Some of these methods are ex- 
plained below by way of examples. 

For the purposes of the following examples, it is as- 5 
sumed that an intruder has identified a target device, a 
user name to impersonate and a device trusted by the 
target device so that a password is not necessary for 
the trusted device to login to the target device. The in- 
truder may be able to identify target devices from mail 
messages or news articles. Once the target device is 
identified, the intruder may use standard services such 
as simple network management protocol (SNMP) to ex- 
amine the target device to discover other devices that 
are connected to the target device. In addition, services 
such as "finger* provides personal information about ei- 
ther an individual user or other user's logged onto a sys- 
tem. Moreover, mail headers often indicate the name of 
a file server that is an apparent sender of the mail and 
the name of the actual device that originated the mail 
which typically is the name of a workstation. In general, 
file servers and workstations served by the file server 
communicate without using passwords. Thus, the in- 
truder may obtain all the required information using 
standard available services. 

Assuming that the intruder has control of a legiti- 
mate name server such as intru.buzbiz.com in the buz- 
biz.com domain, the intruder has the ability to modify 
any of the files in intru.buzbiz.com. If the intruder has 
identified wsl.research.att.com as a target and has also 
identified ws2.research.att.com as a device trusted by 
wsl.research.att.com, then the intruder may modify the 
translation table, similar to Table 2, used to convert IP 
addresses to corresponding domain names so that the 
IP address of intru.buzbiz.com (201.202.203.1) corre- 
sponds to the domain name ws2.research.att.com. After 
modifying the translation table, the intruder then at- 
tempts to login to wsLresearch.att.com as a trusted de- 
vice using an riogin procedure and providing 
201.202.203.1 as the IP address of ws2.research.att. 
com. 

After receiving the riogin request, wsl. research. att. 
com executes a get-name request for the IP address 
201.202.203.1 to obtain the corresponding domain 
name. The get- name request is eventually routed to in- 
lru.buzbiz.com because inlru.bU2biz.com is the author- 
itative address server for the 201 .202.203. 1 IP address 
and has the table to convert 201 .202.203. 1 to its corre- 
sponding domain name. However, because the table 
has been modified to output ws2.research.att.com in- 
stead of intru.buzbiz.com in response to a get-name re- 
quest for IP address 201.202.203.1. the erroneous do- 
main name of ws2.research.att.com is retumed. Thus, 
wsl.research.att.com receives ws2.research.att.com as 
the domain name of the device corresponding to the 
riogin request. Since ws2.research.att.com is a trusted 
machine, wsl.research.att.com accepts the riogin re- 
quest and permits the intruder to login to wsl. research. 



att.com. Accordingly, the intruder gains access to all the 
private information reachable from within wsl research. 
att.com. 

Another technique for gaining unauthorized access 
to private information is to poison the cache memory of 
a resolver such as resolver 112. Assuming that the in- 
truder has identified wsl.research.att.com as a target, 
the intruder by various methods induces wsl research. 
att.com to query intru.buzbiz.com for information. 
Ws1.research.att.com sends a get-address request to 
resolver 112 to obtain the IP address of the intruding 
device intru.buzbiz.com. Since the resolver 112 does 
not have any information regarding intru.buzbiz.com, it 
outputs a get-address request to a name server for intru. 
buzbiz.com, which in this case is intru.buzbiz.com itself. 
Intru.buzbiz.com returns the requested IP address but 
appends additional information which indicates that the 
IP address of ws2.research.att.com is associated with 
IP address 201.202.203.1 instead of the legitimate IP 
address 192.193.194.2. The intruder sets a very short 
time-to-live for the additional information so that the re- 
solver 112 will erase the corrupted resource record soon 
after the intruder completes the unauthorized access. 
The resolver accepts the response from intru. buzbiz. 
com and, as discussed earlier, enters the IP address for 
intru.buzbiz.com into its cache as well as the corrupted 
IP address 201.202.203.1 for ws2.research.att.com. 
Thus, the cache merrory of resolver 112 is poisoned 
with the corrupted IP address for ws2.research.att.com. 

Subsequently, intru.buzbiz.com logins to wsl.re- 
search.att.com using 201.202.203.1 as the IP address. 
When wsl.research.att.com executes a get-name in- 
struction, the resolver 112 returns ws2.research.att.com 
based on the information in its poisoned cache. Wsl .re- 
search. att. com then grants the riogin request by the in- 
truder because ws2.research.att.com is a trusted de- 
vice. Then, because the short time-to-live of the re- 
source record for the corrupted IP address expires, the 
resolver 112 discards the resource record erasing any 
trace of the intrusion. Thus, the intruder has again suc- 
cessfully gained access to all the private information 
fromwithinws1.research.att.com. 

The intruder is not restricted to using the riogin pro- 
cedure as discussed above. For example, once the cor- 
rupted IP address is accepted by the resolver 112 or 
wsl .research.att.com, the intruder may choose to inter- 
cept any messages sent by wsl.research.att.com to 
ws2.research.atl.com. The interception is possible be- 
cause the resolver 112 returns to wsl.research.att.com 
the IP address corresponding intru.buzbiz.com instead 
of the IP address of ws2.research.att.com. After receiv- 
ing the outputs of wsl.research.att.com intended for 
ws2. research.att.com, the intruder rr^y forward the data 
to ws2.research.atl.com so that the communication be- 
tween wsl.research.att.com and ws2.research.att.com 
continues without being modified. Thus the intruder may 
intercept private inforrration such as passwords with lit- 
tle chance of being detected. 
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The unauthorized access to private information by 
the intruder described above is achieved because de- 
vices within the domain 204 receives an IP address of 
other devices in the domain 204 from an unreliable 
source external to the domain 204. The present inven- 
tion prevents corrupted private information such as IP 
addresses from entering a domain by preventing two 
types of communications from occurring as discussed 
below. 

1) . The invention prevents a device from within a 
domain from requesting private information from a 
device external to the domain. As shown in Fig. 8, 
a switching device 500 receives queries 510 of get- 
name or get-address requests. The switching de- 
vice 500 searches the contents of each request and 
any request for names or IP addresses ot devices 
within the domain 204 is redirected to a name server 
interna! to the domain 204 as redirected requests 
514. Requests for names or IP addresses of devic- 
es outside of the domain 204 is forwarded to the 
appropriate name server external to the domain 204 
as forwarded requests 512. 

2) The invention provides a filter device that pre- 
vents private information from entering the domain 
from an unreliable source external to the domain. 
The filter device filters out all private information 
provided by devices external the domain. 

As shown in Fig. 9, the filter device 502 receives 
messages 520 from devices external to the domain 204. 
The filter device 502 examines the received messages 
520 for any information that is private to domain 204 
such as IP addresses and domain names and deletes 
the private information from the rnessages. Then the fil- 
tered messages 522 are forwarded to the destination 
devices in domain 204. 

Figure 10 shows that the domain 204 includes a 
DNS proxy device 404. The DNS proxy 404 performs 
the switching and filtering functions described above. In 
this embodiment, the devices within the domain 204 are 
modified to direct all queries to the DNS proxy 404. The 
DNS proxy 404 examines all query requests from devic- 
es in the domain 204 and separates requests tor infor- 
mation private to the domain 204 and requests for other 
information. Requests for private information are redi- 
rected to name servers within the domain 204 such as 
server.att.com and server.research.att.com. Queries for 
information other than private information are forwarded 
to the firewall 402 through communication path 328 
which in turn forwards the request to external sources 
through communication path 316. 

The embodiment shown in Fig. 10 requires modifi- 
cation of the software of devices such as resolvers 112 
and 1 1 4 and device 1 1 6 to redirect query requests to the 
DNS proxy 404 instead of an appropriate name server 
external to the domain 204. The device 116 is not a 
name server but has the ability to communicate with ex- 



ternal sources directly through communication path 
322. This embodiment redirects the communication 
paths 318. 320 and 322 to the DNS proxy 404. 

Information received from external sources through 

5 communication path 330 is filtered by the DNS proxy 
404. The DNS proxy 404 examines all the information 
entering domain 204 and filters out any information that 
is private to the domain 204 such as IP addresses of 
devices within the domain 204. The private information 

10 included in the information supplied by the external 
sources is deleted before the information is forwarded 
to the destination device within the domain 204., Thus 
any attempt to append corrupted IP addresses to legit- 
imate responses to query requests are eliminated. 

^5 information received from the external sources 
through communication path 330 may also be deleted 
or nnodified for local security administrative policies. For 
example, if the information received from the external 
sources include pointers to name servers outside ot the 

20 domain 204 and the pointers must be deleted before for- 
warding the information to a destination device within 
the domain 204. Otherwise, devices within the domain 
204 may attempt to contact these name servers directly 
without the intervention of the DNS proxy 404. Con- 

2S versefy: pointers to name servers within the domain 204 
may be inserted into the information received from ex- 
ternal sources so that future name or address queries 
internal to the domain 204 may be resolved directly, 
without the aid of the DNS proxy 404. 

30 Also, information such as electronic mail exchange 
records received from the external sources may be 
modified to redirect outbound electronic mail to a log- 
ging device (not shown) within the domain 204 to main- 
tain a log record. The log record provides additional in- 

35 formation to assist the protection of private information 
within the domain 204. 

Figure 1 1 shows that the DNS proxy 404 is incorpo- 
rated into the firewall 402. In this embodiment, none ot 
the programs of the devices within the domain 204 need 

40 to be modified. All the query requests continue to be di- 
rected to external sources through communication 
paths 310, 312 and 322. However, the DNS proxy within 
the firewall 402 switches all query requests for private 
information of the domain 204 to either serveratt.com 

45 or server.research.att.com, tor example, through com- 
munication paths 324 and 326, respectively. Information 
input from external sources through communication 
paths 322 are filtered to delete any private information 
before forwarding to the destination devices within the 

50 domain 204. 

Figure 12 shows a process of the DNS proxy 404 
performing the switching function. In step SI 000, the 
DNS proxy 404 receives query requests directed to de- 
vices external to the domain 204 and goes to step 

55 S1002. In step S1002, the DNS proxy 404 examines 
each query request to determine if private information 
is being solicited from the devices external to the domain 
204. Then the DNS proxy 404 goes to step SI 004. In 
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step SI 004. the DNS proxy 404 goes to step SI 006 if 
private information was requested; otlierwise, the DNS 
proxy 404 goes to step SI 010. 

In step SI 006. the DNS proxy 404 separates re- 
quests for private information of the domain 204 from 
requests for information not private to the domain 204. 
Then the DNS proxy 404 goes to step S1008. In step 
SI 008, the DNS proxy 404 redirects all requests for pri- 
vate information to a device within the domain 204 such 
as a name server of the domain 204. Then the DNS 
proxy goes to step SI 01 0. 

In step S1010. the DNS proxy 404 forwards all re- 
quests for information not private to the domain 204 to 
the device external to the domain 204. Then the DNS 
proxy 404 goes to step 51012 and ends the process. 

Figure 1 3 shows the process of the DNS proxy 404 
for filtering communication received from a device ex- 
ternal to the domain 204. In step S2000, the DNS proxy 
404 receives the communication from the external de- 
vice and goes to step S2002. In S2002, the DNS proxy 
404 examines the communication for private informa- 
tion and goes to step S2004. In step S2004. the DNS 
proxy 404 goes to step S2006 if private information was 
discovered in the communication from the external de- 
vice; otherwise, the DNS proxy 404 goes to step S2008. 

In step S2005, the DNS proxy 404 filters the com- 
munication by removing all private information from the 
communication and goes to step S2008. In step S2008, 
the DNS proxy 404 forwards the filtered communication 
to the destination device within the domain 204, goes to 
step S2010 and ends the process. 

While this invention has been described in conjunc- 
tion with specific embodiments thereof, it is evident that 
many alternatives, modifications and variations will be 
apparent to those skilled in the art. Accordingly, pre- 
ferred embodiments of the invention as set forth herein 
are intended to be illustrative, not limiting. Various 
changes may be made without departing from the spirit 
and scope of the inventions as defined in the following 
claims. 



Claims 

1 , A subsystem in a domain name system that restricts 
access to private information of a first domain, the 
first domain being coupled to the second domain, 
the system comprising: 

a switching device that receives a communi- 
cation from a first device of the first domain, the 
communication including a first request for the pri- 
vate information of the first domain being directed 
to the device of the second domain, the switching 
device redirecting the first request for the private in- 
formation to a second device in the first domain. 

2. The subsystem of claim 1 . wherein the communica- 
tion includes a second request for Information that 



is not private information of the first donriain, the 
switching device forwarding the second request to 
the device of the second domain. 

5 3. The subsystem of claim 1 . wherein the second de- 
vice is a name server of the first domain. 

4. The subsystem of claim 1, wherein the private in- 
formation is at least one of a domain name of a de- 

10 vice in the first domain and an IP address of the de- 
vice in the first domain. 

5. The subsystem of claim 1 , wherein the first domain 
. comprises a plurality of devices, the plurality of de- 

15 vices being modified to direct all communication 
with the second domain to the switching device. 

6. The subsystem of claim 1 , wherein the first device 
is one of a name server and a resolver, requests for 

20 information from devices in the first domain other 
than the first device being directed to the first de- 
vice. 

7. The subsystem of claim 1, wherein the switching 
2S device is part of a firewall of the first domain. 

8. A method of operation of a subsystem in a domain 
name system for restricting access to private infor- 
mation of a first domain, the first domain being cou- 

30 pled to the second domain, the method comprising: 

receiving a communication from a first device 
of the first domain that is directed to the device 
of the second domain, the communication in- 
35 eluding a first request for the private information 

of the first domain; and 

redirecting the first request for the private infor- 
mation of the first domain to a second device 
of the first domain. 

40 

9. The method of claim 8, further comprising: 

forwarding a second request of the communi- 
cation from the first device to the device of the sec- 
ond domain, the second request requesting infor- 
ms mation not private to the first dorrain. 

10. The method of claim 8. wherein the second device 
is a name server of the first domain. 

50 11. The method of claim 8, wherein the private informa- 
tion is at least one of a domain name and an IP ad- 
dress in the first domain. 

12. An apparatus for use in a donr^in name system, 
55 comprising: 

a switching device that receives a communi- 
cation from a first device of the first domain, the 
communication including a first request for the pri- 
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vate information ot the firsi domain being directed 
to the device ot the second domain, the switching 
device redirecting the first request for the private in- 
formation to a second device in the first domain. 

13. The apparatus of claim 12, vyherein the communi- 
cation includes a second request for information 
that is not private information of the first domain, the 
switching device forwarding the second request to 
the device of the second domain. 

1 4. The apparatus of claim 1 2, wherein the second de- 
vice is a name server of the first domain. 



15. The apparatus of claim 12, wherein the private in- t5 
formation is at least one of a domain name of a de- 
vice in the first domain and an IP address of the de- 
vice in the first domain. 

16. The apparatus of claim 12, wherein the switching 
device Is part of a firewall of the first domain. 

1 7. A method of operation of an apparatus In a domain 
name system for restricting access to private infor- 
mation of a first domain, the first domain being cou- 2S 
pled to the second domain, the method comprising: 

receiving a communication from a first device 
of the first domain that is directed to the device 
of the second domain, the communication in- 30 
eluding a first request for the private information 
of the first domain; and 
redirecting the first request for the private infor- 
mation of the first domain to a second device 
of the first domain. 35 



18. The method of claim 17. further comprising: 

forwarding a second request of the communi- 
cation from the first device to the device of the sec- 
ond domain, the second request requesting infor- 40 
mation not private to the first domain. 

1 9. The method of claim 1 7, wherein the second device 
is a name server of the first domain. 

45 

20. The method of claim 17, wherein the private infor- 
mation is at least one of a domain name and an IP 
address in the first domain. 

so 
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(54) A method and apparatus for restricting access to private information in domain name 
systems by redirecting query requests 



(57) A device and method redirect query requests 
to restrict access to private information of a domain in a 
domain name system. The device includes a switching 
device that redirects query requests for the private in- 
formation from within the domain to a device within the 



domain. The private, information includes IP addresses 
and domain names. All the devices in the domain may 
be modified to direct all query requests to the switching 
device or the switching device may be incorporated into 
a firewall of the domain. 
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